I kind of disagree. How can you be certain a person in is a certain age without determining who that person is?
The local AI concept is flawed, as is anything that relies on trusting the user.
If you want to be certain that someone is over 18 at some point you need a government ID or birth certificate, and at that point you know a hell of a lot more about them than their age.
In general, we accept that the Government already knows who you are, how old you are, and where you live. That’s already a given. The purpose of a zero-knowledge age verification scheme is to allow a third party (not the Government) to be confident that a person is an adult, without being given any additional information or being able to deduce any additional information from what they’re given. So essentially, they get only 1 bit of information: whether the user is an adult (true/false). In practice, a perfect system is not possible, since the fact that you receive a response also means you get the answer to related questions, like whether the user possesses a Government-issued ID (obviously “true” if they can successfully complete the verification).
So, here’s how such a scheme might work. There are many possible implementations.
In the United States, we have (optional) digital ID cards. These are added to one’s digital wallet in a similar manner to payment cards and can be used for things like buying alcohol, getting through airport security, and driving. This digital infrastructure can be re-used.
An organisation which wants to perform digital identity verification generates a cryptographic key pair and registers the public key with a Government server ahead of time. The public key is published to a Government-run public keyserver.
A website who wants to verify a user’s age sends a verification request to a Government server, digitally signed with their private key. The server responds with a request ID, which is a random, but unique, string of characters.
The website provides this string to the user. The user copies the string.
The user opens their digital wallet, selects their ID card, and then opens the age verification feature. The user pastes the request ID into their digital wallet, which fetches information about the request from the Government server. Because the request which the request ID is associated with was signed using the organisation’s private key, the Government can tell the user who initiated the request.
The user is asked to confirm/deny the age verification request. If the user confirms the request, then a biometric will be required to access their private key (these are stored in the device’s keystore), sign the approval response, and then sent that response to the Government server. The Government server checks that the signature is valid and tied to the key associated with that ID before marking the verification request as completed.
After confirming, the user returns to the website and clicks a button which says “I’ve completed the verification.” The website then queries the request ID with the Government server (again, signing the request with their private key). The Government server responds with “completed” if the user has accepted the request, or “not completed” if the user has either not yet accepted the request or denied it.
I kind of disagree. How can you be certain a person in is a certain age without determining who that person is?
The local AI concept is flawed, as is anything that relies on trusting the user.
If you want to be certain that someone is over 18 at some point you need a government ID or birth certificate, and at that point you know a hell of a lot more about them than their age.
This is identity verification.
In general, we accept that the Government already knows who you are, how old you are, and where you live. That’s already a given. The purpose of a zero-knowledge age verification scheme is to allow a third party (not the Government) to be confident that a person is an adult, without being given any additional information or being able to deduce any additional information from what they’re given. So essentially, they get only 1 bit of information: whether the user is an adult (true/false). In practice, a perfect system is not possible, since the fact that you receive a response also means you get the answer to related questions, like whether the user possesses a Government-issued ID (obviously “true” if they can successfully complete the verification).
So, here’s how such a scheme might work. There are many possible implementations.
In the United States, we have (optional) digital ID cards. These are added to one’s digital wallet in a similar manner to payment cards and can be used for things like buying alcohol, getting through airport security, and driving. This digital infrastructure can be re-used.